Breach Reports Roll in Following New Australian Data Protection Regulations

On 22 February 2018, the Privacy Amendment (Notifiable Data Breaches) Act of 2017 took full effect in Australia. The legislation requires organizations responsible for protecting citizens’ data in Australia to report a security breach to the Office of the Australian Information Commissioner (OAIC) if the incident involves unauthorized access to/loss of personal information or “is likely to result in serious harm to any of the individuals to whom the information relates.” In the event they observe indicators of a potentially eligible data breach, organizations must conduct and complete an assessment within 30 days to verify if a data security incident has occurred.

Entities bound by the Notifiable Data Breaches (NDB) scheme include public sector agencies in Australia, Australia’s Capital Territory, and Norfolk Island; private businesses that generate at least $3 million annually; health service providers; and certain kinds of small businesses and non-governmental organizations.

The Results Speak for Themselves

Companies have not wasted any time in abiding by this new data protection regulation. ZDNet reports the OAIC received 31 notifications of data breaches in the first three weeks after the Privacy Amendment entered into force.

As of this writing, it’s unclear from which organizations a majority of those reports originated. But the OAIC has confirmed that it’s currently investigating an announcement from Svitzer Australia, the largest liquid natural gas (LNG) towage provider in the world. In that incident, an unknown perpetrator secretly configured three Svitzer employees’ email accounts to auto-forward messages to accounts outside of the shipping company. The intrusion, which took place between 27 May 2016 and 1 March 2018, was responsible for the secret transmission of 50,000-60,000 emails from finance, payroll, and operations.

According to the Australian Broadcasting Corporation (ABC), those emails subsequently exposed the sensitive personal details of 500 employees out of the towage provider’s 1,000-person workforce in Australia. Nicole Holyer, Svitzer’s head of communications, told ABC that the company is “offering the highest levels of support to those affected.”

2018: The Year of New Data Protection Regulations

The NDB scheme came into effect approximately two months before the European Union’s General Data Protection Regulation (GDPR) becomes enforceable. At that time, organizations around the world that collect and manage data of EU citizens will need to make sure they’re compliant with the Regulation. Otherwise, they could face a fine of either 10 million euros or four percent of their annual global turnover, whichever is higher.

Jason Hart, CTO of Data Protection at Gemalto, says organizations shouldn’t waste any time in making sure they’re prepared for GDPR.

“Up until the 25th May 2018, EU businesses will be able to get away with keeping breaches from their customers, but this will change as the focus will be on protecting data going forward,” Hart explains. “Time is running out for businesses to get their house in order before GDPR comes into effect. Once that happens, we’ll start to see the true picture of data breaches within Europe and the impact that will have on the reputation of a multitude of businesses. Companies need to realize that being breached is an inevitability and customers will not put up with those that can’t protect their data. In order to being compliant, business must follow the six-step process outlined in the legislation.”